Fortinet Discloses SQL Injection Vulnerability in FortiMail Administrative Portal
Fortinet has disclosed an SQL injection vulnerability in FortiMail's administrative portal, allowing authenticated privileged attackers to execute unauthorized code or commands.
Fortinet disclosed a high-severity SQL injection vulnerability in FortiMail's administrative portal on May 12, 2026, tracked as FG-IR-26-132. The flaw, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), allows an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. The vulnerability carries a CVSSv3 score of 6.3, indicating a medium-to-high severity risk.
The vulnerability affects multiple versions of FortiMail, including 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, and 7.2.0 through 7.2.8. Fortinet has released patches for all affected versions, urging administrators to upgrade to FortiMail 7.6.4, 7.4.6, or 7.2.9, respectively. The advisory was internally discovered and reported by Jaguar Perlas of the Fortinet Burnaby InfoSec team.
SQL injection vulnerabilities in administrative portals are particularly dangerous because they can allow attackers to manipulate backend databases, potentially extracting sensitive data, modifying configurations, or gaining deeper access to the network. While the vulnerability requires authenticated privileged access, it could be exploited in conjunction with other flaws or through social engineering to escalate privileges further.
FortiMail is a widely deployed email security gateway used by enterprises to protect against spam, malware, and phishing attacks. The administrative portal is a critical component for managing security policies, user accounts, and email filtering rules. A successful exploit could compromise the integrity of email security controls, potentially allowing attackers to bypass protections or intercept sensitive communications.
Fortinet has not reported any active exploitation of this vulnerability in the wild as of the advisory's publication. However, given the critical nature of email security infrastructure and the history of SQL injection attacks targeting enterprise appliances, administrators are strongly advised to apply patches promptly. The company recommends reviewing access controls to the administrative portal and implementing network segmentation to limit exposure.
This disclosure is part of a broader trend of vulnerabilities in enterprise security appliances, where administrative interfaces often become targets for attackers. Fortinet has been proactive in patching similar flaws in recent months, including a high-severity OS command injection vulnerability in FortiAP devices disclosed earlier in May 2026. The company's PSIRT team continues to emphasize the importance of timely patching and adherence to security best practices.
Organizations using FortiMail should prioritize upgrading to the patched versions and monitor for any unusual activity in administrative logs. The vulnerability underscores the need for robust access controls and regular security assessments of critical infrastructure components.